News Archives

Friday, January 12, 2018

EC: Post-Brexit UK Will Become a Third Country

On January 9, the European Commission issued a Notice
to Stakeholders that states that after March 30, 2019 the UK will become a “third
country” with respect to transfers of personal data from the EU. Barring a change in the withdrawal date or
the achievement of an adequacy decision as part of a ratified withdrawal agreement,
the Notice states that organizations transferring personal data from the EU to
the UK will need to provide “appropriate safeguards” for the data, utilizing
standard contractual clauses, binding corporate rules, approved codes of
conduct or approved certification mechanisms, or justify the transfer on the
basis of one of the standard derogations, such as consent. Unfortunately for businesses, uncertainty
about the timing and substance of the withdrawal agreement may compel the
needless expenditure of resources on the development of alternative data
transfer mechanisms that prove to be unnecessary.

Data transfers from the UK to the US will also need a new legal underpinning
once the country’s separation from the EU occurs, since the UK will no longer
be eligible to utilize the EU-US Privacy Shield framework. Presumably a new UK-US Privacy Shield
framework could be developed without great difficulty, as was the case with the
creation of the Swiss-US Privacy Shield framework.